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Pursuant to 37 CT'.R. § 41.41, Applicant responds to the Examiner's Answer as follows 



Rejection of Claims 7, 9-14, 19-23, and 26 over Botros. 



tTarss 1 rv_?j 

The examiner maintains the rejection of these claims arguing now that: 



As iJon-os discloses the psrodoria" of an histogram of received network traffic 
see €o3 3 to 37-5i & I Hi & 1 fh< n ! hs Botros 

iadwdt'S the »w activities ami peer activities collectively Sxmt; stored «» a data 
store for comparison to detect ahnormai Irchavior thorough the use of a histogram 
sec Col 4 L« 5 7-25. Where the network is being examined imtkdh h> collect date on 
the ascrs o» the network ami form a distribution of tt«s, i.e. histogram sec G>i 3 
to- 37-44. Botros discloses the raw data collected include the data <*f eimmsiustis 
performed, ttser activities see Cut 6 La 53-62..., 1 



The examiner .seems to equate "user activities'' with network traffic and indeed Botros. 
may use a network to collect data on "user activities." Indeed, in the examiner's explanation, the 
own it \ i ha 



tug divided i tit < : 
< r a* t > t.h tin - « < i i tf s.Se a < 

s ui itsii vht i i H f u k traffic see < >} 7 Ln 1 1«23. In 

Shan resource a»d files are most likely shared oo a network through a server sod 
i J! ! ' i t i if ; S s „ i 'i it 1 
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However, claim 7 requires: "producing a histogram of received network traffic for at least 
one parameter of network packets and characterizing an attack based on comparison of a 
historical histogram with the produced histogram data for one or more parameters/' Thus, the 
1 5 . i ^ 5 > nm< tk naHa >ut at the eve! oi the nefu >jk pick, u ^ -u« re . m 
network packets, as explicitly recited. Botros does not disclose any mechanism to collect data on 
* )ai neter of net work j met a histogram of dra eter a 

histogram to a historical histogram for that parameter or indeed disclose network packets or 
network traffic. 

Accordingly Botros cannot anticipate claim 7, nor render claim 7 obvious, since Bonos 
does not possess of ail elements of the claimed invention arranged as in the claim. See Commit v. 
Sears. Roebuck & Co., 220 U.S.P.Q. 193, 198 (Fed, Cm 1983). 

Claims 9 and 10 

The examiner argues that; 'As Botros discloses the time periods being varied from 4 to 6 
months see Col 10 Ln 29-39." However, claim 9 for instance requires that: "the historical 
histogram is based on time periods that can range from 1 hour to 1 week or more." There is no 
description in Botros of time periods having die duration as in claim 9. 

Claim s 11-14 

The examiner continues to argue that: "Botros discloses the computation of the difference 
m the hum, , 1 x aa no such 

teaching is present in Bonos. Botros merely describes thai; 

Jim h desse in subtracting the user's current .Klivslv value from the peer 
i i « s i xii fn the \ j n i ' 

s i i isratoa kaOfir is ir;!»sti«:>! iisi < m < tt«> u 
adsted to ttit reaJwrss list im M step 768: 

T is v i ,! s_> a > v the ri J<hso a ot ! ti; oi no u cpioduced 
and the lustoruaj histograms for each parameter and computing then different c to idenun 



significant outliers that are considered indicators of suspicious traffic," as recked in claim M. 
There is no mention in Botros that Che histograms are used in subtracting. 

Claims 19. 20 . ami 26 

Appellant contends that Botros does not describe the data colled s s f c 19 
20 and 26, The examiner equates the function of a database to that of a data collector. However, 
the function of the data collector is to colled statistical information, as described by Appellant, 

' — .i > i \ 1 L r m claim 19. to execute the m, T \ < t v < tt i 

collector. Botros "database'* is not described as capable of executing any method that would 
correspond to . < iceucd in claim 7. 

1 i!B 2 ud :3 

Regarding Appellant's claim 22 the examiner argues: "... Botros discloses the setting of 
, i i 1 \ a jet Iikl + ti t poMto.e and no o b* com. i * <. 1 

intrusions see Col 12 Ln 52- Col 13 Ln3, Where the factor is being adjusted to capture the 
oris d to a\ >id false (Serfs thereby reducing blocking legrmnate fame." 

Claim 22 however deals with correlation of suspicious parameters to reduce blocking of 
legitimate traffic, Botros on the other [sand does not describe any correlation process. 
Mo Mi mo > n ! vi n Bot.os is aucUcJ ? 1 1 no Oaivai s > xk >. 
Botros. not ay correiat n>' t i rametei o i h < e docl ig of legit < i f! 

Rejection of Claims .1-6, 8, 15-18, 24-25, 27, 30-36 over Botros in view of Wetherall 

Claims 1, 3 and 4 

. v ext . does t el e Wed sra 1 to tea h a pa note f m at i < i es not 
ddiesv x < >< c 1 iiyoi oi vlamt id J.m a t J arm 

explicitly mentions network packets as the source of die network traffic. Claim 1, in contrast, 
iocs not rut cf stead uses sh rt-haud expres ork traffic 



Howevet n speci the irguments made by the ex 

-rw i : at hot < s » ^ o s ^vsN , , eiuiio i rioce-A in Jo t r >x s dsa % allies o a 
parameter of network traffic exceed norma! values for the parameter to indicate an attack on the 
data center." 

The examiner also maintains that Bonos teat hes: "exceeding of norma! values . in the 
same terms; as the instant invention see Co! 9 Ln 3 J -46." However, there Battos merely 

ed usei There is no teaching o a parameter of 
■ ! v - » ! I o id mi es u, me pai mides to nd «.a « k , J > i 
. t jtu ' !h is* is urK Ji . , i_ v d. ' sc a* not i name ete; e ic v oik frahae 

ippel lam s howeves so notes thai dk histt grams described h Bins 
mode n I o conipt e sign scant ttlicrs and classify*) i attack as claimed 

The examiner argues thai: "At the outset the Appellant has misunderstood the rejection. 
! >< « > ui^ dner was to say that Botros does not disclose the parameters to 

cortpnie s p j i, un «*<(! ..h!, ^h, t <u N s " Appellant asks; "How can the examiner state 
that Appellant lias misunderstood the rejection, when the examiner readily admits that the 

n ! i c 5 m 'i t 1 5 i t i v.! ) * i ! 

argue and/or amend the claims to overcome the rejection?" 

Nonetheless eexamin is previously c et that B » irgued abovt t d of 
! v f >, o <. ) ) i ^ > Lompiik U I'eud is id s % ik s 

According K N s e e\ u u . o It 1 im the te tdmsq- a Wethaiad K , ike ) i,-- Wethe- i ! also 
does not disclose the filtering packets based on characterization, as recited in claim 1. 
The examiner argues that: 

The Appellant's argument regarding the modifying of Botros with Wetherail 
would iwt serve assy purpose of Bolw h not persuasive. \s fiotnis. deals Witts 

iihn .i i(, n • ii'i irm <>t In hi h< t i »t hit ..« , t 
Similarly, Weliieraii deai* with generation of histograms ami eoosoariiig of 

< > i i 1 u k t, > )!« . o * n t> i 'i , 1 i 

f 1 '1 j t ! if ! (J 1 * 

relevant to the iustanl invention and hoih disclose an great detail the trcdant 
iavtSnlfela. 
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Appellant contends that there exists no suggestion to combine Bonus with Wet.he.rail for 
ail of the reasons of record. Moreover, the examiner's newly stated motivation quoted above 
only serves to undercut the previous argument made by the examiner, namely that; "Weiherall 
deals with genera oi oi ustogs i and comparing of historic b tog it si; lassify attacks 
further advancing Botros by the inclusion of filters serving to eliminate spoofed addresses." 

t < ^ Oi 1 * ! s \ ( H ( { s hi if i otr s M t s. U,s 1 ( ^ v 

< template Bolt seen where does Botros dis ss i spoofed address, o 

indeed network packets or network traffic. 

Accordingly, neither Botros nor W'etherall taken together or separately suggest a 
defection process to determine if the values of a parameter of network traffic exceed normal 
values for the pas i tact- on th< d m ceuk e cos 

build a histogram i'or the parameter to compute significant outliers m a parameter and classify 
the attack and a filtering process for filtering of network packets based on the characterization 
process. 

Claims 2 and J. 

Appellant's claim 2 specifically deals with representing suspicious parameter values by a 
bit vector to track d and bad alucs Sotros neither describes no; uggests a bit vector, 
Moreover, contrary to the examiner's interpretation of Botros. Botros disclosure of: "the ratio 
containing a mixture of bad and good values see Col 12 La 37-39 " is again directed to training a 
model and selecting values that has s a mixture of bad and g< >od. I liese teachings ha\ c no 
) vHA itilU, t !vv ' n i vcs^tl it ipie Nssms \ aso , \Jt,ish\ i ho 
vector with a I in every position corresponding to a "bad" value, and a 0 in every position 
corresponding to a "good" value 

fee n . i >ii l W i "pnhihC \ k tk cxamim-: Ci v. / » a.- i 
hi %o "m n (\ - n u sp I K MUO'ieU gi. su <. U u\ ts« 

data embodied within a computer "consists of bits, is being used as a reference for future 
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comparison to detect, attacks/' However, that is not a bit vector and indeed is an illogical and 
improper argument. 

Cjai 06 

The examiner argues that because A.. Wetherall discloses die source address being used 
to gather dj ; f \\\ ■ .> < istogram and further of the histogram being used to compare 
the historical histo + , rg of packets see Pax 0012 Welln it leas ggests 

chum 6 " Appellant disagrees. \\ idle claim 6 mentions source address, c - > uses the so e. 
iddress to dcU im f the values of source address exceed norm values lo h . u 1 
Wetherall, in contrast does not classify the attack based on the source IP Address, but instead 
uses a histogram of source address as a basis for filtering of the packets, 

Cl aim 8 

I } t d to the examine* n < i 

Claims 15-17 

The now argues that Wetherall discloses that the reference profile being used io compare 
with current profile see Par, 0056 corresponds to the master correlation hit vector, advancing the 
reasoning hat \nd this dons hrough the use of dig al sg th ata . bit vector, and 
furthe compel ng th< oug view resemblance n Iht reference pro! > vector, see Pat 

*0 U ! O i, J 1 i 1 i i ^ 

f i 004 1 For all of the reasai a sse< abo for the bit vet o J s 1 k ol i tson u that 
these functions occur in a computer using digitized data are totally without merit. 

Claim 1 8 

The Examiner refers the board to die examiner A argument in Claim 6. 



<;khJL~i 

The Examiner refers the board to the examiner's argument in Claims i, 3 and 4 above. 
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i"he examiner states that: 'v 1 
dst< f ' ! , . v tacks Is not bei? isciosed by Wetherall , . . " 

Appellant contends thai this is incorrect. Appellant clearly argued that the features of 
-hum 3 ik c e ork traffic through c\ spo (I Ix veen the data 

center and a network, determining it values of at least one parameter exceed normal threshold 
values expected h r the parameter to indicate an attack on the site, producing a histogram for the 
at least one parameter of network traffic to characterize the attack by comparing the histogram to 

ot 1 at parameter, and filtering out traffic based on 
characterizing the traffic, which the gateway deems lo be part of an attack, 

Phe foeib on likas oy. vmph adasewal tu lex ns ot the e\aumet s :e caton 11 
no conmirsation of Botros with Wetherall suggests: monitoring network traffic through a gateway 
disposed between the data center and a network, determining if values of at least one parameter 
exceed normal bo shall \ alues expected for the parameter to indicate an attack on the site, 
producing a histogram for the at least one parameter of network traffic to characterize the attack 
b) cos ) I sfognu ast one hi 1 aieal his ogram for that pa « Iterin 

out traffic based on characterizing the traffic, which the gateway deems to be part of an attack. 

( [aim 53 \nt|_34 

rhe ex < Appellant's arguments directed to i 

(.oil tied win. gaicw,^ <>. < o center/' are not pcrsttasrve Botro di« dev. >e tho 
feature by disclosure of "a log and a database see Fig. 2 item 12 & 102" for the reasons of 
record. 

Bot so does disclost ledicaled I in] he control cem hardet 
network" by: v .. Fig. I & Fig. 2. where the directum of How h unidirectional thus indicative of 
a dedicated t ( ^ k And additiona % Botros discloses bu s to hue ice ill etworl id 
storage sec Fig. 15." 
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I *e ; s t ! i lotros thi co re po id to a dedica i k ween th 
gateway and control center and such feature is simply not met by a bus. Moreover, in Figs, 1 and 
2 of Botros, tliey does not exist buses or networks, but mere generalizations of cooperation 
between the depicted elements. 

Cl aims 37 

The examiner has indicated allowance of claims 37-40. 

fo^ dxscxMsons ane 4 he reasons stated nahc \opeai H; 1 \piU u m ouilt 
final rejection should be reversed. 

P a-« pp \ am u barges oi credits to Deposit Account No. 06-1050. 

Respectfully submitted. 
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